Merge remote-tracking branch 'origin/develop' into feat/414-large-num…

…bers-of-projects-on-the-home-page-are-difficult-to-navigate

.github/workflows/release-pipeline.yaml

@@ -75,5 +75,5 @@ jobs:
       version: ${{ needs.set-version.outputs.version }}
       image: 'ghcr.io/sillsdev/lexbox-*'
       k8s-environment: production
-      deploy-domain: prod.languagedepot.org
+      deploy-domain: languagedepot.org
 

backend/LexBoxApi/Auth/AdminRequiredAttribute.cs → backend/LexBoxApi/Auth/Attributes/AdminRequiredAttribute.cs

@@ -1,4 +1,4 @@
-namespace LexBoxApi.Auth;
+namespace LexBoxApi.Auth.Attributes;
 
 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
 public class AdminRequiredAttribute : LexboxAuthAttribute

backend/LexBoxApi/Auth/CreateProjectRequiredAttribute.cs → backend/LexBoxApi/Auth/Attributes/CreateProjectRequiredAttribute.cs

@@ -1,4 +1,4 @@
-namespace LexBoxApi.Auth;
+namespace LexBoxApi.Auth.Attributes;
 
 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
 public class CreateProjectRequiredAttribute: LexboxAuthAttribute

backend/LexBoxApi/Auth/LexboxAuthAttribute.cs → backend/LexBoxApi/Auth/Attributes/LexboxAuthAttribute.cs

@@ -3,7 +3,7 @@
 using Microsoft.AspNetCore.Authorization;
 using AuthorizeAttribute = HotChocolate.Authorization.AuthorizeAttribute;
 
-namespace LexBoxApi.Auth;
+namespace LexBoxApi.Auth.Attributes;
 
 public abstract class LexboxAuthAttribute : DescriptorAttribute, IAuthorizeData
 {

backend/LexBoxApi/Auth/Attributes/RequireAudienceAttribute.cs

@@ -0,0 +1,33 @@
+using LexCore.Auth;
+using Microsoft.AspNetCore.Authorization;
+
+namespace LexBoxApi.Auth.Attributes;
+
+public class RequireAudienceAttribute(params LexboxAudience[] audiences)
+    : LexboxAuthAttribute(PolicyName), IAuthorizationRequirement, IAuthorizationRequirementData
+{
+    public const string PolicyName = "RequireAudiencePolicy";
+    /// <param name="audience">audience allowed to access this endpoint</param>
+    /// <param name="exclusive">when false the default audience is also allowed, when true the default audience is not allowed</param>
+    public RequireAudienceAttribute(LexboxAudience audience, bool exclusive = false) : this(exclusive
+        ? [audience]
+        : [audience, LexboxAudience.LexboxApi])
+    {
+    }
+
+    public LexboxAudience[] ValidAudiences { get; } = audiences;
+
+    public IEnumerable<IAuthorizationRequirement> GetRequirements()
+    {
+        yield return this;
+    }
+}
+
+public class AllowAnyAudienceAttribute : LexboxAuthAttribute
+{
+    public const string PolicyName = "AllowAnyAudiencePolicy";
+
+    public AllowAnyAudienceAttribute() : base(PolicyName)
+    {
+    }
+}

backend/LexBoxApi/Auth/Attributes/RequireCurrentUserInfoAttribute.cs

@@ -0,0 +1,15 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace LexBoxApi.Auth.Attributes;
+
+/// <summary>
+/// validates the updated date of the jwt against the database, should be used to make a jwt expire if the user is updated
+/// </summary>
+[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+public class RequireCurrentUserInfoAttribute: Attribute, IAuthorizationRequirement, IAuthorizationRequirementData
+{
+    public IEnumerable<IAuthorizationRequirement> GetRequirements()
+    {
+        yield return this;
+    }
+}

backend/LexBoxApi/Auth/VerifiedEmailRequiredAttribute.cs → backend/LexBoxApi/Auth/Attributes/VerifiedEmailRequiredAttribute.cs

@@ -1,4 +1,4 @@
-namespace LexBoxApi.Auth;
+namespace LexBoxApi.Auth.Attributes;
 
 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
 public class VerifiedEmailRequiredAttribute : LexboxAuthAttribute

backend/LexBoxApi/Auth/AuthKernel.cs

@@ -1,6 +1,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Http.Headers;
 using System.Text;
+using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Auth.Requirements;
 using LexCore.Auth;
 using Microsoft.AspNetCore.Authentication.Cookies;
@@ -25,10 +26,12 @@ public static void AddLexBoxAuth(IServiceCollection services,
         if (environment.IsDevelopment())
         {
             IdentityModelEventSource.ShowPII = true;
+            IdentityModelEventSource.LogCompleteSecurityArtifact = true;
         }
 
         services.AddScoped<LexAuthService>();
         services.AddSingleton<IAuthorizationHandler, AudienceRequirementHandler>();
+        services.AddSingleton<IAuthorizationHandler, ValidateUserUpdatedHandler>();
         services.AddAuthorization(options =>
         {
             //fallback policy is used when there's no auth attribute.
@@ -37,24 +40,11 @@ public static void AddLexBoxAuth(IServiceCollection services,
             options.FallbackPolicy = options.DefaultPolicy = new AuthorizationPolicyBuilder()
                 .RequireDefaultLexboxAuth()
                 .Build();
-            foreach (var audience in Enum.GetValues<LexboxAudience>())
-            {
-                if (audience == LexboxAudience.Unknown) continue;
-                //for exclusive the endpoint is only accessible for the specified audience
-                options.AddPolicy(audience.PolicyName(true), builder =>
-                {
-                    builder.RequireAuthenticatedUser();
-                    builder.AddRequirements(new AudienceRequirement(audience));
-                });
-                //for non exclusive the endpoint is also accessible for the default audience
-                options.AddPolicy(audience.PolicyName(false), builder =>
-                {
-                    builder.RequireAuthenticatedUser();
-                    builder.AddRequirements(new AudienceRequirement(audience, LexboxAudience.LexboxApi));
-                });
-            }
+
             //don't use RequireDefaultLexboxAuth here because that only allows the default audience
             options.AddPolicy(AllowAnyAudienceAttribute.PolicyName, builder => builder.RequireAuthenticatedUser());
+            //we still need this policy, without it the default policy is used which requires the default audience
+            options.AddPolicy(RequireAudienceAttribute.PolicyName, builder => builder.RequireAuthenticatedUser());
 
             options.AddPolicy(AdminRequiredAttribute.PolicyName,
                 builder => builder.RequireDefaultLexboxAuth()
@@ -181,7 +171,7 @@ public static void AddLexBoxAuth(IServiceCollection services,
     public static AuthorizationPolicyBuilder RequireDefaultLexboxAuth(this AuthorizationPolicyBuilder builder)
     {
         return builder.RequireAuthenticatedUser()
-            .AddRequirements(new AudienceRequirement(LexboxAudience.LexboxApi));
+            .AddRequirements(new RequireAudienceAttribute(LexboxAudience.LexboxApi, true));
     }
 
     public static bool IsJwtRequest(this HttpRequest request)

backend/LexBoxApi/Auth/Requirements/AudienceRequirementHandler.cs

@@ -1,22 +1,14 @@
-using LexCore.Auth;
+using LexBoxApi.Auth.Attributes;
+using LexCore.Auth;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace LexBoxApi.Auth.Requirements;
 
-public class AudienceRequirement : IAuthorizationRequirement
+public class AudienceRequirementHandler(ILogger<AudienceRequirementHandler> logger) : AuthorizationHandler<RequireAudienceAttribute>
 {
-    public LexboxAudience[] ValidAudiences { get; }
 
-    public AudienceRequirement(params LexboxAudience[] validAudiences)
-    {
-        ValidAudiences = validAudiences;
-    }
-}
-
-public class AudienceRequirementHandler : AuthorizationHandler<AudienceRequirement>
-{
-    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AudienceRequirement requirement)
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        RequireAudienceAttribute requirement)
     {
         var claim = context.User.FindFirst(LexAuthConstants.AudienceClaimType);
         if (Enum.TryParse<LexboxAudience>(claim?.Value, out var audience) &&
@@ -26,6 +18,7 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
         }
         else
         {
+            logger.LogInformation("Token does not have the required audience: [{Audience}] not in {ValidAudiences}", claim?.Value, string.Join(',', requirement.ValidAudiences));
             context.Fail(new AuthorizationFailureReason(this,
                 $"Token does not have the required audience: {requirement.ValidAudiences}"));
         }

backend/LexBoxApi/Auth/Requirements/ValidateUserUpdatedHandler.cs

@@ -0,0 +1,28 @@
+using LexBoxApi.Auth.Attributes;
+using LexBoxApi.Services;
+using LexData;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.EntityFrameworkCore;
+
+namespace LexBoxApi.Auth.Requirements;
+
+public class ValidateUserUpdatedHandler(IHttpContextAccessor httpContextAccessor, ILogger<ValidateUserUpdatedHandler> logger) : AuthorizationHandler<RequireCurrentUserInfoAttribute>
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, RequireCurrentUserInfoAttribute requirement)
+    {
+        var httpContext = httpContextAccessor.HttpContext;
+        var user = httpContext?.RequestServices.GetRequiredService<LoggedInContext>().MaybeUser;
+        if (user is null) return;
+        var userService = httpContext!.RequestServices.GetRequiredService<UserService>();
+        var actualUpdatedDate = await userService.GetUserUpdatedDate(user.Id);
+        if (actualUpdatedDate != user.UpdatedDate)
+        {
+            logger.LogInformation("User has been updated since login, {UpdatedDate} != {ActualUpdatedDate}", user.UpdatedDate, actualUpdatedDate);
+            context.Fail(new AuthorizationFailureReason(this, "User has been updated since login"));
+        }
+        else
+        {
+            context.Succeed(requirement);
+        }
+    }
+}

backend/LexBoxApi/Controllers/AdminController.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using LexBoxApi.Auth;
+using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Services;
 using LexCore;
 using LexData;
@@ -33,9 +34,9 @@ public record ResetPasswordAdminRequest([Required(AllowEmptyStrings = false)] st
     public async Task<ActionResult> ResetPasswordAdmin(ResetPasswordAdminRequest request)
     {
         var passwordHash = request.PasswordHash;
-        var lexAuthUser = _loggedInContext.User;
         var user = await _lexBoxDbContext.Users.FirstAsync(u => u.Id == request.userId);
         user.PasswordHash = PasswordHashing.HashPassword(passwordHash, user.Salt, true);
+        user.UpdateUpdatedDate();
         await _lexBoxDbContext.SaveChangesAsync();
         await _emailService.SendPasswordChangedEmail(user);
         return Ok();

backend/LexBoxApi/Controllers/AuthTestingController.cs

@@ -1,4 +1,5 @@
 using LexBoxApi.Auth;
+using LexBoxApi.Auth.Attributes;
 using LexCore.Auth;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

backend/LexBoxApi/Controllers/LoginController.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using LexBoxApi.Auth;
+using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Models;
 using LexBoxApi.Otel;
 using LexBoxApi.Services;
@@ -52,11 +53,23 @@ public async Task<ActionResult> LoginRedirect(
         string jwt, // This is required because auth looks for a jwt in the query string
         string returnTo)
     {
+        var user = _loggedInContext.User;
+        var userUpdatedDate = await _userService.GetUserUpdatedDate(user.Id);
+        if (userUpdatedDate != user.UpdatedDate)
+        {
+            return await EmailLinkExpired();
+        }
         await HttpContext.SignInAsync(User,
             new AuthenticationProperties { IsPersistent = true });
         return Redirect(returnTo);
     }
 
+    private async Task<ActionResult> EmailLinkExpired()
+    {
+        await HttpContext.SignOutAsync();
+        return Redirect("/login?message=link_expired");
+    }
+
     [HttpGet("verifyEmail")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -73,9 +86,17 @@ public async Task<ActionResult<LexAuthUser>> VerifyEmail(
         var userId = _loggedInContext.User.Id;
         var user = await _lexBoxDbContext.Users.FindAsync(userId);
         if (user == null) return NotFound();
+        //users can verify their email even if the updated date is out of sync when not changing their email
+        //this is to prevent some edge cases where changing their name and then using an old verify email link would fail
+        if (user.Email != _loggedInContext.User.Email &&
+            user.UpdatedDate.ToUnixTimeSeconds() != _loggedInContext.User.UpdatedDate)
+        {
+            return await EmailLinkExpired();
+        }
 
         user.Email = _loggedInContext.User.Email;
         user.EmailVerified = true;
+        user.UpdateUpdatedDate();
         await _lexBoxDbContext.SaveChangesAsync();
         await RefreshJwt();
         return Redirect(returnTo);
@@ -136,12 +157,18 @@ public record ResetPasswordRequest([Required(AllowEmptyStrings = false)] string
 
     [HttpPost("resetPassword")]
     [RequireAudience(LexboxAudience.ForgotPassword)]
+    [RequireCurrentUserInfo]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesDefaultResponseType]
     public async Task<ActionResult> ResetPassword(ResetPasswordRequest request)
     {
         var passwordHash = request.PasswordHash;
         var lexAuthUser = _loggedInContext.User;
-        var user = await _lexBoxDbContext.Users.FirstAsync(u => u.Id == lexAuthUser.Id);
+        var user = await _lexBoxDbContext.Users.FindAsync(lexAuthUser.Id);
+        if (user == null) return NotFound();
         user.PasswordHash = PasswordHashing.HashPassword(passwordHash, user.Salt, true);
+        user.UpdateUpdatedDate();
         await _lexBoxDbContext.SaveChangesAsync();
         await _emailService.SendPasswordChangedEmail(user);
         //the old jwt is only valid for calling forgot password endpoints, we need to generate a new one

backend/LexBoxApi/Controllers/MigrationController.cs

@@ -1,4 +1,5 @@
 using LexBoxApi.Auth;
+using LexBoxApi.Auth.Attributes;
 using LexBoxApi.Services;
 using LexCore.Entities;
 using LexData;